US9380008B2

Movatterモバイル変換

Info

Publication number: US9380008B2
Application number: US14/042,587
Authority: US
Inventors: Karempudi Ramarao; Tefcros Anthias, JR.; Sunil Potti; Sandeep Kumar; Stephen Cho; Alex Yin-Man Chan; Yi Jin; Ricky Ho
Original assignee: Cisco Technology Inc
Current assignee: Cisco Technology Inc
Priority date: 2004-12-06
Filing date: 2013-09-30
Publication date: 2016-06-28
Also published as: US8312148B2; US20140032690A1; EP1839174A4; US20060123425A1; US7987272B2; WO2006062814A3; WO2006062814A2; US20060123477A1; US7996556B2; CN101371237A; EP1839174B1; CN101371237B; US20110208867A1; US20060123467A1; EP1839174A2; US8549171B2

Abstract

A method is disclosed for high-speed processing of structured application messages in a network device. According to one aspect, a network device receives a structured application layer message and identifies, in message classification requirements at the network device, a reference to a classification portion of the structured application layer message and an operation portion of the structured application layer message. The system extracts, based on one or more expressions, a portion of the message for classifying the structured application layer message and classifies the message using the extracted portion and according to the message classification requirements. At least in part by accessing information indicated by one or more location identifiers, at least one operation is performed on the classified structured application layer message.

Description

BENEFIT CLAIM

This application claims the benefit as a Continuation of U.S. patent application Ser. No. 11/089,794, filed Mar. 24, 2005, which is a continuation-in-part of U.S. patent application Ser. No. 11/005,978, filed on Dec. 6, 2004, the entire contents of which are hereby incorporated by reference for all purposes as if fully set forth herein. The applicant(s) hereby rescind any disclaimer of claim scope in the parent application(s) or the prosecution history thereof and advise the USPTO that the claims in this application may be broader than any claim in the parent application(s).

FIELD OF THE INVENTION

The present invention generally relates to network elements in computer networks. The invention relates more specifically to a method and apparatus for high-speed processing of structured application messages in a network device.

BACKGROUND

The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.

In a business-to-business environment, applications executing on computers commonly communicate with other applications that execute on other computers. For example, an application “A” executing on a computer “X” might send, to an application “B” executing on a computer “Y,” a message that indicates the substance of a purchase order.

Computer “X” might be remote from computer “Y.” In order for computer “X” to send the message to computer “Y,” computer “X” might send the message through a computer network such as a local area network (LAN), a wide-area network (WAN), or an inter-network such as the Internet. In order to transmit the message through such a network, computer “X” might use a suite of communication protocols. For example, computer “X” might use a network layer protocol such as the Internet Protocol (IP) in conjunction with a transport layer protocol such as the Transport Control Protocol (TCP) to transmit the message.

Assuming that the message is transmitted using TCP, the message is encapsulated into one or more data packets; separate portions of the same message may be sent in separate packets. Continuing the above example, computer “X” sends the data packets through the network toward computer “Y.” One or more network elements intermediate to computer “X” and computer “Y” may receive the packets, determine a next “hop” for the packets, and send the packets towards computer “Y.”

For example, a router “U” might receive the packets from computer “X” and determine, based on the packets being destined for computer “Y,” that the packets should be forwarded to another router “V” (the next “hop” on the route). Router “V” might receive the packets from router “U” and send the packets on to computer “Y.” At computer “Y,” the contents of the packets may be extracted and reassembled to form the original message, which may be provided to application “B.” Applications “A” and “B” may remain oblivious to the fact that the packets were routed through routers “U” and “V.” Indeed, separate packets may take separate routes through the network.

A message may be transmitted using any of several application layer protocols in conjunction with the network layer and transport layer protocols discussed above. For example, application “A” may specify that computer “X” is to send a message using Hypertext Transfer Protocol (HTTP). Accordingly, computer “X” may add HTTP-specific headers to the front of the message before encapsulating the message into TCP packets as described above. If application “B” is configured to receive messages according to HTTP, then computer “Y” may use the HTTP-specific headers to handle the message.

In addition to all of the above, a message may be structured according to any of several message formats. A message format generally indicates the structure of a message. For example, if a purchase order comprises an address and a delivery date, the address and delivery date may be distinguished from each other within the message using message format-specific mechanisms. For example, application “A” may indicate the structure of a purchase order using Extensible Markup Language (XML). Using XML as the message format, the address might be enclosed within “<address>” and “</address>” tags, and the delivery date might be enclosed within “<delivery-date>” and “</delivery-date>” tags. If application “B” is configured to interpret messages in XML, then application “B” may use the tags in order to determine which part of the message contains the address and which part of the message contains the delivery date.

Often, though, different applications are designed to use different application layer protocols to send and receive messages. For example, application “A” might be designed to send messages using only HTTP, but application “B” might be designed to receive messages using only File Transfer Protocol (FTP), another application layer protocol. Furthermore, different applications may be designed to use different message formats to format and interpret messages. For example, application “A” might be designed to format messages using only XML, but application “B” might be designed to interpret messages using only Electronic Data Interchange (EDI).

Usually, it is not practical or even possible to design or update an application so that the application can converse with other applications using all possible message formats and application layer protocols. Some message formats and application layer protocols may be proprietary and not publicly disclosed. Some message formats and application layer protocols may be relatively new and obscure. Some message formats and application layer protocols may be so old as to be considered generally obsolete.

In order to reduce the amount of application modification required to allow an application to converse with other applications that might use different message formats and/or application layer protocols, intermediary network elements separate from such applications may be designed to receive messages, “translate” the messages, and then send the messages. This translation may be achieved by looking for a specified bit pattern beginning at a specified bit location in a packet, and then altering bits at the specified bit location if the specified bit pattern is found. For example, a network appliance “J” might be designed to receive messages that have been sent using HTTP and send those messages using FTP instead. For another example, a network appliance “K” might be designed to receive messages that are in XML format and translate those messages into EDI format. Thus, if application “A” sends messages in XML using HTTP, and application “B” receives messages in EDI using FTP, then application “A” can be configured so that messages that application “A” normally would address to application “B” are addressed to network appliance “J” instead. The network administrator can configure network appliance “J” to send messages to network appliance “K,” and the network administrator can configure network appliance “K” to send messages to application “B.”

Unfortunately, this approach requires a lot of effort from the network administrator. As the number of possible different application layer protocols and message formats used by communicating applications increases, the number of network appliances and paths between those network appliances rises dramatically. For each pair of sending and receiving applications, a network administrator following this approach must configure the applications and network appliances involved to ensure that the messages will follow the correct path through the relevant network appliances. Thus, if each of applications “A,” “B,” “C,” “D,” and “E” needed to communicate with each other, the network administrator following this approach might need to configure 25 different “paths” of one or more network appliances each. As applications are added, removed, and modified, the network administrator may need to add and/or remove certain network appliances from certain paths between application pairs. When many applications are involved, the burden can be more than most network administrators can bear.

Additionally, if multiple paths are configured to contain the same network appliance, then the network appliance may become a bottleneck that degrades network performance.

Thus, this “pair-wise path configuration” approach is impractical when applied to systems in which large numbers of diverse applications communicate. A more practical technique for allowing a multitude of diverse applications to communicate is needed.

Further, it is desirable to have a network appliance analyze messages as the messages are passed through the network appliance and route messages according to the content of each message. For example, if application “A” sends messages in XML and applications “B” and “C” both receive messages in XML, the network appliance can analyze the message content, either partially or entirely, and route the message to the proper destination. Messages sent to applications “B” and “C” might be load balanced by the network appliance. Messages might be categorized via rules on the network appliance and, depending on the results of a message analysis, the network appliance may send high-priority messages to application “B” and low-priority messages to application “C”.

Unfortunately, network appliances have not performed this type of analysis. Applications are responsible for selecting the destinations of their own messages. This creates the problems with message translation as discussed above as well as requiring each application to keep track of the destination of each type of message. A technique for analyzing message content in a network appliance that does not require applications to monitor the destinations of each message is needed.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:

FIG. 1 is a block diagram that illustrates an overview of one embodiment of a system in which one or more network elements perform message payload processing functions on behalf of an application;

FIG. 2 depicts a flow diagram that illustrates an overview of one embodiment of a method of performing message payload processing functions at a network element on behalf of a client application;

FIGS. 3A-B depict a flow diagram that illustrates one embodiment of a method of performing message payload processing functions at a network element on behalf of an application;

FIG. 4 depicts a sample flow that might be associated with a particular message classification;

FIG. 5 is a block diagram that illustrates a computer system upon which an embodiment may be implemented;

FIG. 6A is a block diagram that illustrates one embodiment of a router in which a supervisor blade directs some packet flows to an AONS blade and/or other blades;

FIG. 6B depicts a flow diagram that illustrates one embodiment of a method of filtering packets for which message level processing is to be performed;

FIG. 7 is a diagram that illustrates the various components involved in an AONS network according to one embodiment;

FIG. 8 is a block diagram that depicts functional modules within an example AONS node;

FIG. 9 is a diagram that shows multiple tiers of filtering that may be performed on message traffic in order to produce only a select set of traffic that will be processed at the AONS layer;

FIG. 10 is a diagram that illustrates the path of a message within an AONS cloud according to a cloud view;

FIG. 11A andFIG. 11B are diagrams that illustrate a request/response message flow;

FIG. 12A andFIG. 12B are diagrams that illustrate alternative request/response message flows;

FIG. 13 is a diagram that illustrates a one-way message flow;

FIG. 14 is a diagram that illustrates alternative one-way message flows;

FIG. 15A andFIG. 15B are diagrams that illustrate a request/response message flow with reliable message delivery;

FIG. 16 is a diagram that illustrates a one-way message flow with reliable message delivery;

FIG. 17 is a diagram that illustrates synchronous request and response messages;

FIG. 18 is a diagram that illustrates a sample one-way end-to-end message flow;

FIG. 19 is a diagram that illustrates message-processing modules within an AONS node;

FIG. 20 is a diagram that illustrates message processing within AONS node;

FIG. 21,FIG. 22, andFIG. 23 are diagrams that illustrate entities within an AONS configuration and management framework;

FIG. 24 is a diagram that illustrates an AONS monitoring architecture.

FIG. 25 is a diagram that illustrates an AONS router correlating request and response packets;

FIG. 26 is a block diagram that illustrates one embodiment of a router in which a supervisor blade directs some packet flows to an AONS blade;

FIG. 27 depicts a flow diagram that illustrates high-level steps in an embodiment of a method for high-speed processing of structured application messages in a network device;

FIG. 28 depicts a flow diagram that illustrates an embodiment of a method for high-speed processing of structured application messages in a network device; and

FIG. 29 depicts a flow diagram that illustrates an efficient embodiment of a method for high-speed processing of structured application messages in a network device.

DETAILED DESCRIPTION

A method and apparatus for high-speed processing of structured application messages in a network device is described. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention.

Embodiments are described herein according to the following outline:

- 1.0 General Overview
- 2.0 Structural and Functional Overview
- 3.0 Implementation Examples
  - 3.1 Multi-Blade Architecture
  - 3.2 Performing Message Payload Processing Functions At A Network Element
  - 3.3 Action Flows
  - 3.4 Filtered Processing
  - 3.5 AONS Examples
    - 3.5.1 AONS General Overview
    - 3.5.2 AONS Terminology
    - 3.5.3 AONS Functional Overview
    - 3.5.4 AONS System Overview
    - 3.5.5 AONS System Elements
    - 3.5.6 AONS Example Features
    - 3.5.7 AONS Functional Modules
    - 3.5.8 AONS Modes of Operation
    - 3.5.9 AONS Message Routing
    - 3.5.10 Flows, Bladelets™, and Scriptlets™
    - 3.5.11 AONS Services
    - 3.5.12 AONS Configuration and Management
    - 3.5.13 AONS Monitoring
    - 3.5.14 AONS Tools
    - 3.5.15 AONS Structured Application Message Processing
- 4.0 Implementation Mechanisms—Hardware Overview
- 5.0 Extensions and Alternatives
  1.0 General Overview

The needs identified in the foregoing Background, and other needs and objects that will become apparent for the following description, are achieved in the present invention, which comprises, in one aspect, a method for high-speed processing of structured application messages in a network device. According to one embodiment, the network device monitors traffic between a plurality of client applications and server applications.

In an embodiment, a network device receives a set of message classification rules that have been prepared beforehand by a system administrator or customer. The system analyzes the message classification rules to determine what part(s) of the message are necessary to classify a message according to the message classification rules. The analysis is performed off-line. This allows the system to consider only the relevant parts of the message and ignore the rest of the message. The system first extracts the portion of the message necessary for classifying the message using pre-determined structured message format information.

The message is then classified using the values of the extracted information. The message classification rules are used to evaluate the extracted information. The classification can be based on a certain value, name, destination, combinations of information, etc. In most instances, message classification is based on either the message header or, in addition to the header, some small initial part of the message body itself.

A unique sequence of operations is implied by the message classification and those operations must then be applied to the message. As with the classification, these operations are also known a priori and are pre-analyzed to make intelligent decisions about the parts of the message that need to be accessed. The operations may tell the system that the message is to be routed to a destination different from the originally addressed destination or is to be stored in a local database or an external database.

In other aspects, the invention encompasses a computer apparatus and a computer-readable medium configured to carry out the foregoing steps.

2.0 Structural and Functional Overview

FIG. 1 is a block diagram that illustrates an overview of one embodiment of asystem100 in which one or more of

network elements

102,104,106, and108 perform message payload processing functions on behalf of an application.

Network elements

102,106, and108 may be proxy devices, for example.Network element104 may be a network router such asrouter600 depicted inFIGS. 6A and 6B below, for example.

Client application

110 is coupled communicatively withnetwork element102. Aserver application112 is coupled communicatively tonetwork element106. Aserver application114 is coupled communicatively tonetwork element108. Each ofclient application110 and

server applications

112 and114 may be a separate computer. Alternatively, each ofclient application110 and

server applications

112 and114 may be a separate process executing on the same computer.

Network elements

102 and104 are coupled communicatively with anetwork116.

Network elements

104 and106 are coupled communicatively with anetwork118.

Network elements

104 and108 are coupled communicatively with anetwork120. Each of

networks

116,118, and120 is a computer network, such as, for example, a local area network (LAN), wide area network (WAN), or internetwork such as the Internet.

Networks

116,118, and120 may contain additional network elements such as routers.

In one embodiment,client application110 addresses messages to

server applications

112 and114, and

network elements

102,104,106, and108 intercept the data packets that contain the messages. In an alternative embodiment,client application110 explicitly addresses messages tonetwork element102.

Network elements

102,104,106, and108 assemble one or more data packets to determine at least a portion of a message contained therein. Based on the message,

network elements

102,104,106, and108 perform one or more actions. Examples of some of these actions are described in further detail below.

FIG. 2 depicts a flow diagram200 that illustrates an overview of one embodiment of a method of performing message payload processing functions at a network element on behalf of a client application. Such a method may be performed, for example, by any of

network elements

102,104,106, and108.

Inblock202, a network element receives user-specified input. The user-specified input indicates a message classification and one or more actions that are associated with the message classification. For example,network element104 may receive such user-specified input from a network administrator. The message classification defines a category or class of messages. For example, all purchase orders might belong to the same message classification. Messages that satisfy user-specified criteria or rules associated with the message classification belong to the message classification, while messages that do not satisfy these criteria or rules do not belong to the message classification.

Inblock204, the network element receives one or more data packets. For example,network element104 may intercept one or more data packets that are destined forserver application112. For another example,network element102 may receive one or more data packets that are destined fornetwork element102.Network element102 is capable of determining application layer message boundaries, so, in one embodiment,network element102 may perform operations (as described below) on an application layer message contained in a stream, or portions thereof, even ifnetwork element102 has not yet received all of the data packets that contain all of the portions of the application layer message.

Inblock206, based on the data packets, it is determined that an application layer message collectively contained in payload portions of the data packets belongs to the particular message classification. For example,network element104 may assemble at least some of the data packets.Network element104 may inspect the contents of the payload portions of the assembled data packets to determine at least a portion of an application layer message thatclient application110 is trying to send. The message may be, for example, a purchase order formatted according to XML and transmitted using HTTP. As such, the message may contain HTTP and XML headers. Based on the message content and/or information in the data packet headers,network element104 may determine that the message belongs to the particular message classification indicated in the user-specified input. For example,network element104 may determine, based on a portion of the message, that the message is a purchase order.

Inblock208, at least a portion of the message is processed via the performance, relative to at least the portion of the message, of the actions that are associated with the particular message classification. For example, in response to determining that the message belongs to the “purchase order” message classification,network element104 may perform one or more specified actions that are associated with the “purchase order” message classification. The specified actions may include, for example, modifying the message's format (e.g., from XML to EDI) and sending the message towardserver application112 using a different application layer protocol (e.g., FTP) than the protocol thatclient application110 used to send the message. Examples of other possible actions are described below.

3.0 Implementation Examples

3.1 Multi-Blade Architecture

According to one embodiment, an Application-Oriented Network Services (AONS) blade in a network element such as a router, a switch, an appliance that performs L2-L4 processing, etc., performs the actions discussed above.FIG. 6A is a block diagram that illustrates one embodiment of arouter600 in which asupervisor blade602 directs some of packet flows610A-B to an AONS blade and/orother blades606N.Router600 comprisessupervisor blade602,AONS blade604, andother blades606A-N. Each of

blades

602,604, and606A-N is a single circuit board populated with components such as processors, memory, and network connections that are usually found on multiple boards.

Blades

602,604, and606A-N are designed to be addable to and removable fromrouter600. The functionality ofrouter600 is determined by the functionality of the blades therein. Adding blades torouter600 can augment the functionality ofrouter600, butrouter600 can provide a lesser degree of functionality with fewer blades at a lesser cost if desired. One or more of the blades may be optional.

Router

600 receives packet flows such as packet flows610A-B. More specifically, in one embodiment, packet flows610A-B received byrouter600 are received bysupervisor blade602.Supervisor blade602 may comprise a forwarding engine and/or a route processor such as those commercially available from Cisco Systems, Inc. In an alternative embodiment,router600 comprises one or more network I/O modules that may comprise a forwarding engine; in such an alternative embodiment, the operations described below as being performed bysupervisor blade602 are performed instead by a forwarding engine that is not situated withinsupervisor blade602, so that packets may be forwarded toAONS blade604 without ever going throughsupervisor blade602.

In one embodiment,supervisor blade602 classifies packet flows610A-B based on one or more parameters contained in the packet headers of those packet flows. If the parameters contained in the packet header of a particular packet match specified parameters, thensupervisor blade602 sends the packets to a specified one ofAONS blade604 and/orother blades606A-N. Alternatively, if the parameters contained in the packet header do not match any specified parameters, thensupervisor blade602 performs routing functions relative to the particular packet and forwards the particular packet on toward the particular packet's destination.

For example,supervisor blade602 may determine that packet headers inpacket flow610B match specified parameters. Consequently,supervisor blade602 may send packets inpacket flow610B toAONS blade604.Supervisor blade602 may receive packets back fromAONS blade604 and/orother blades606A-N and send the packets on to the next hop in a network path that leads to those packets' destination. For another example,supervisor blade602 may determine that packet headers inpacket flow610A do not match any specified parameters. Consequently, without sending any packets inpacket flow610A toAONS blade604 orother blades606A-N,supervisor blade602 may send packets inpacket flow610A on to the next hop in a network path that leads to those packets' destination.

AONS blade

604 andother blades606A-N receive packets fromsupervisor blade602, perform operations relative to the packets, and return the packets tosupervisor blade602.Supervisor blade602 may send packets to and receive packets from multiple blades before sending those packets out ofrouter600. For example,supervisor blade602 may send a particular group of packets toother blade606A.Other blade606A may perform firewall functions relative to the packets and send the packets back tosupervisor blade602.Supervisor blade602 may receive the packet fromother blade606A and send the packets toAONS blade604.AONS blade604 may perform one or more message payload-based operations relative to the packets and send the packets back tosupervisor blade602.

According to one embodiment, the following events occur at an AONS router such asrouter600. First, packets, containing messages from clients to servers, are received. Next, access control list-based filtering is performed on the packets and some of the packets are sent to an AONS blade or module. Next, TCP termination is performed on the packets. Next, Secure Sockets Layer (SSL) termination is performed on the packets if necessary. Next, Universal Resource Locator (URL)-based filtering is performed on the packets. Next, message header-based and message content-based filtering is performed on the packets. Next, the messages contained in the packets are classified into AONS message types. Next, a policy flow that corresponds to the AONS message type is selected. Next, the selected policy flow is executed. Then the packets are either forwarded, redirected, dropped, copied, modified, or fanned-out as specified by the selected policy flow.

3.2 Performing Message Payload Processing Functions at a Network Element

FIGS. 3A-B depict a flow diagram300 that illustrates one embodiment of a method of performing message payload processing functions at a network element on behalf of an application. For example, one or more of

network elements

102,104,106, and108 may perform such a method. More specifically,AONS blade604 may perform one or more steps of such a method. Other embodiments may omit one or more of the operations depicted in flow diagram300. Other embodiments may contain operations additional to the operation depicted in flow diagram300. Other embodiments may perform the operations depicted in flow diagram300 in an order that differs from the order depicted in flow diagram300.

Referring first toFIG. 3A, inblock302, user-specified input is received at a network element. The user-specified input indicates the following: one or more criteria that are to be associated with a particular message classification, and one or more actions that are to be associated with the particular message classification. The user-specified input may indicate an order in which the one or more actions are to be performed. The user-specified input may indicate that outputs of actions are to be supplied as inputs to other actions. For example,network element104, and more specificallyAONS blade604, may receive such user-specified input from a network administrator.

The user-specified input may indicate multiple sets of criteria that are to be associated, respectively, with multiple separate message classifications, and multiple sets of actions that are to be associated with the multiple message classifications. For example, the user-specified input may indicate a first set of criteria that is to be associated with a first message classification, a second set of criteria that is to be associated with a second message classification, a first set of actions that are to be associated with the first message classification, and a second set of actions that are to be associated with the second message classification.

Inblock304, an association is established, at the network element, between the particular message classification and the one or more criteria. For example,AONS blade604 may establish an association between a particular message classification and one or more criteria. For example, the criteria may indicate a particular string of text that a message needs to contain in order for the message to belong to the associated message classification. For another example, the criteria may indicate a particular path that needs to exist in the hierarchical structure of an XML-formatted message (or based in an XPath boolean expression) in order for the message to belong to the associated message classification. For another example, the criteria may indicate one or more source IP addresses and/or destination IP addresses from or to which a message needs to be addressed in order for the message to belong to the associated message classification.

Multiple associations may be established between separate sets of criteria and separate message classifications. For example,AONS blade604 may establish a first association between a first set of criteria and a first message classification, and a second association between a second set of criteria and a second message classification.

Inblock306, an association is established, at the network element, between the particular message classification and the one or more actions. One or more actions that are associated with a particular message classification comprise a “policy” that is associated with that particular message classification. A policy may comprise a “flow” of one or more actions that are ordered according to a particular order specified in the user-specified input, and/or one or more other actions that are not ordered. For example,AONS blade604 may establish an association between a particular message classification and one or more actions. Collectively, the operations of blocks302-306 comprise “provisioning” the network element.

Multiple associations may be established between separate sets of actions and separate message classifications. For example,AONS blade604 may establish a first association between a first set of actions and a first message classification, and a second association between a second set of actions and a second message classification.

Inblock308, one or more data packets that are destined for a device other than the network element are received by the network element. The data packets may be, for example, data packets that contain IP and TCP headers. The IP addresses indicated in the IP headers of the data packets may differ from the network element's IP address; thus, the data packets may be destined for a device other than the network element. For example,network element104, and more specificallysupervisor blade602, may intercept data packets thatclient application110 originally sent. The data packets might be destined forserver application112, for example.

Inblock310, based on one or more information items indicated in the headers of the data packets, an application layer protocol that was used to transmit a message contained in the payload portions of the data packets (hereinafter “the message”) is determined. The information items may include, for example, a source IP address in an IP header, a destination IP address in an IP header, a TCP source port in a TCP header, and a TCP destination port in a TCP header. For example,network element104, and more specificallyAONS blade604, may store mapping information that maps FTP (an application layer protocol) to a first combination of IP addresses and/or TCP ports, and that maps HTTP (another application layer protocol) to a second combination of IP addresses and/or TCP ports. Based on this mapping information and the IP addresses and/or TCP ports indicated by the data packets,network element104 may determine which application layer protocol (FTP, HTTP, Simple Mail Transfer Protocol (SMTP), etc.) was used to transmit the message.

Inblock312, a message termination technique that is associated with the application layer protocol used to transmit the message is determined. For example,network element104, and more specificallyAONS blade604, may store mapping information that maps FTP to a first procedure, that maps HTTP to a second procedure, and that maps SMTP to a third procedure. The first procedure may employ a first message termination technique that can be used to extract, from the data packets, a message that was transmitted using FTP. The second procedure may employ a second message termination technique that can be used to extract, from the data packets, a message that was transmitted using HTTP. The third procedure may employ a third message termination technique that can be used to extract, from the data packets, a message that was transmitted using SMTP. Based on this mapping information and the application layer protocol used to transmit the message,network element104 may determine which procedure should be called to extract the message from the data packets.

Inblock314, the contents of the message are determined based on the termination technique that is associated with the application layer protocol that was used to transmit the message. For example,network element104, and more specificallyAONS blade604, may provide the data packets as input to a procedure that is mapped to the application layer protocol determined inblock312. The procedure may use the appropriate message termination technique to extract the contents of the message from the data packets. The procedure may return the message as output toAONS blade604. Thus, in one embodiment, the message extracted from the data packets is independent of the application layer protocol that was used to transmit the message.

In one embodiment, determining the contents of the message involves assembling the contents of the payload portions of two or more of the data packets. For example,network element104 may determine the proper order of two or more TCP data packets (based on TCP sequence numbers, for example), extract the contents of the payload portions of the TCP data packets, and concatenate the contents according to the proper order to form at least a portion of the message. The message may be a multi-part (MIME) message, and each part may be handled separately as though it were a separate message; each part may be associated with a different message classification.

Inblock316, a message classification that is associated with criteria that the message satisfies is determined. For example,network element104 may store mapping information that maps different criteria to different message classifications. The mapping information indicates, among possibly many different associations, the association established inblock304.Network element104 may determine whether the contents of the message satisfy criteria associated with any of the known message classifications. In one embodiment, if the contents of the message satisfy the criteria associated with a particular message classification, then it is determined that the message belongs to the particular message classification.

Although, in one embodiment, the contents of the message are used to determine a message's classification, in alternative embodiments, information beyond that contained in the message may be used to determine the message's classification. For example, in one embodiment, a combination of the contents of the message and one or more IP addresses and/or TCP ports indicated in the data packets that contain the message is used to determine the message's classification. For another example, in one embodiment, one or more IP addresses and/or TCP ports indicated in the data packets that contain the message are used to determine the message's classification, regardless of the contents of the message.

Inblock318, one or more actions that are associated with the message classification determined inblock316 are performed. If two or more of the actions are associated with a specified order of performance, as indicated by the user-specified input, then those actions are performed in the specified order. If the output of any of the actions is supposed to be provided as input to any of the actions, as indicated by the user-specified input, then the output of the specified action is provided as input to the other specified action.

A variety of different actions may be performed relative to the message. For example, an action might indicate that the message is to be dropped. In this case, the message is prevented from being forwarded out of the network element toward that message's destination. For another example, an action might indicate that a message is to be compressed using a specified compression technique before being forwarded out of the network element.

For another example, an action might indicate that the content of the message is to be altered in a specified manner. For example, an action might indicate that specified text is to be inserted into a specified location in the message. A path in an XML hierarchical structure of the message might specify such a location, for example, or a specified string of text occurring in the message might specify such a location. For another example, an action might indicate that specified text is to be deleted from the message. For another example, an action might indicate that specified text is to be substituted for other specified text in the message. Text inserted into the message might be obtained dynamically (“on the fly”) from a database that is external to the network element.

For another example, an action might indicate that the message format of a message is to be altered in a specified manner. For example, an action might indicate that a message's format is to be changed from XML to some other format such as EDI. For another example, an action might indicate that a message's format is to be changed from some format other than XML into XML. The message format may be altered without altering the core content of the message, which is independent of the message format.

For another example, an action might indicate that the message is to be forwarded using a specified application layer protocol other than the application layer protocol that the message's origin used to transmit the message. For example,client application110 might have used a first application layer protocol, such as HTTP, to transmit the message. Thus, when intercepted bynetwork element104, and more specificallysupervisor blade602, the message might have contained an HTTP header. However, in accordance with a specified action, beforenetwork element104 forwards the message towards the message's destination,network element104, and more specificallyAONS blade604, may modify the message so that the message will be carried using an application layer protocol other than HTTP (such as FTP, SMTP, etc.).

For another example, an action might indicate that the message's destination is to be altered so that the message will be forwarded towards a device that is different from the device that the message's source originally specified. For example, in accordance with a specified action,network element104, and more specificallyAONS blade604, might encapsulate the message in one or more new IP data packets that indicate a new destination IP address that differs from the destination IP address that originally intercepted IP data packets indicated.Network element104 may then forward the new IP data packets toward the new destination. In this manner, message content-based routing may be achieved.

For another example, an action might indicate that a specified event is to be written into a specified log that might be external to the network element. For example, in accordance with a specified action,network element104, and more specificallyAONS blade604, might write at least a portion of the message, along with the IP address from which the message was received, to a log file.

For another example, an action might indicate that the message is to be encrypted using a specified key before being forwarded to a destination. For example, in accordance with a specified action,network element104, and more specificallyAONS blade604, might encrypt at least a portion of the message using a specified key and then forward data packets that contain the encrypted message towards the message's destination. Encryption also places a constraint on the subsequent action (e.g. The encrypted portion cannot be modified).

For another example, an action might indicate that a response cached at the network element is to be returned to the device from which the message originated, if such a response is cached at the network element. For example,network element104, and more specificallyAONS blade604, may determine whether a response to the message is cached atnetwork element104; such a response might have be cached atnetwork element104 at the time a previous response to the same message passed throughnetwork element104. Ifnetwork element104 determines that such a response is cached, then networkelement104 may return the response to the message's origin. For read-only operations without any persistent state change,network element104 does not need to forward the message to the message's destination, and the message's destination does not need to issue another response to the message.

For another example, an action might indicate that some authentication information in the message, such as a user identifier and associated password, is to be used to authenticate the message. For example,network element104, and more specificallyAONS blade604, might authenticate a message by comparing authentication information in the message with trusted information stored atnetwork element104.

If the message was modified in some way (e.g., content, format, or protocol modification) during the performance of the actions, and if the modified message is supposed to be forwarded out of the network element, then the network element encapsulates the modified message into new data packets and sends the new data packets towards the modified message's destination—which also might have been modified.

A message might not belong to any known message classification. In this case, according to one embodiment, the network element does not perform any user-specified actions relative to the message. Instead, the network element simply forwards the data packets to the next hop along the path to the data packets' indicated destination.

The method illustrated in flow diagram300 may be performed relative to multiple sets of data packets, each set carrying a separate message. For example,network element104 may perform the method illustrated relative to a first set of data packets that carry a first message, and then networkelement104 may perform the method relative to a second set of data packets that carry a second message. The first message might satisfy a first set of criteria associated with a first message classification, and the second message might satisfy a second set of criteria associated with a second message classification. Thus,network element104 might perform a first set of actions relative to the first message, and a second set of actions relative to the second message.

As a result of the method illustrated in flow diagram300, applications such asclient application110,server application112, andserver application114 can communicate with each other as though no network elements acted as intermediaries, and as though each other application communicated using the same message format and application layer protocol.

3.3 Action Flows

FIG. 4 depicts asample flow400 that might be associated with a particular message classification.Flow400 comprises, in order, actions402-414; other flows may comprise one or more other actions.Action402 indicates that the content of the message should be modified in a specified manner.Action404 indicates that a specified event should be written to a specified log. Action406 indicates that the message's destination should be changed to a specified destination.Action408 indicates that the message's format should be translated into a specified message format.Action410 indicates that the application layer protocol used to transmit the message or content should be changed to a specified application layer protocol.Action412 indicates that the message or content should be encrypted using a particular key.Action414 indicates that the message should be forwarded towards the message's destination. Other actions might include signing and verification actions, for example.

In other embodiments, any one of actions402-414 may be performed individually or in combination with any others of actions402-414.

3.4 Filtered Processing

Typically, inspecting, parsing, and modifying an application layer message is a processing resource-intensive operation that cannot be performed as quickly as routing operations that are based only on information in TCP and IP packet headers. Referring again toFIG. 6A, using packet level processing rather than message level processing,supervisor blade602 might be able to process and send packets toAONS blade604 faster thanAONS blade604 can process application layer messages contained within those packets. Indeed, there might be some packets that contain application layer messages thatAONS blade604 does not need to process at all. Sending such packets toAONS blade604 would only waste processing resources and cause packet buffers ofAONS blade604 to become backed up with packets.

Therefore, in one embodiment,supervisor blade602 sends only some selected packets toAONS blade604. The technique by whichsupervisor blade602 selects these packets may be referred to as “filtering.” As a result of filtering,AONS blade604 does not receive as many packets with whichAONS blade604 is likely to do nothing.

FIG. 6B depicts a flow diagram650 that illustrates one embodiment of a method of filtering packets for which message level processing is to be performed. Inblock652, it is determined whether information contained in a layer 2-4 header of a packet or frame satisfies specified criteria. The criteria might specify particular sources and/or particular destinations that packets need to be coming from and/or going to in order to merit message level processing. For example,supervisor blade602 might determine whether a combination of one or more of a packet's source IP address, source TCP port, destination IP address, and destination TCP port match any user-specified combinations of these addresses and ports. If the header information satisfies the specified criteria, then control passes to block654. Otherwise, control passes to block656.

Inblock654, the packet is sent to an AONS blade. For example,supervisor blade602 may direct the packet toAONS blade604.AONS blade604 may then perform more resource-intensive message level processing on an application layer message that is at least partially contained in the packet.

Alternatively, inblock656, the packet is forwarded on towards the packet's destination. For example,supervisor blade602 may route the packet toward the packet's next hop without sending the packet toAONS blade604. Message level processing is not performed on the packet.

3.5 AONS Examples

3.5.1 AONS General Overview

Application-Oriented Network Systems (AONS) is a technology foundation for building a class of products that embed intelligence into the network to better meet the needs of application deployment. AONS complements existing networking technologies by providing a greater degree of awareness of what information is flowing within the network and helping customers to integrate disparate applications by routing information to the appropriate destination, in the format expected by that destination; enforce policies for information access and exchange; optimize the flow of application traffic, both in terms of network bandwidth and processing overheads; provide increased manageability of information flow, including monitoring and metering of information flow for both business and infrastructure purposes; and provide enhanced business continuity by transparently backing up or re-routing critical business data.

AONS provides this enhanced support by understanding more about the content and context of information flow. As such, AONS works primarily at the message rather than at the packet level. Typically, AONS processing of information terminates a TCP connection to inspect the full message, including the “payload” as well as all headers. AONS also understands and assists with popular application-level protocols such as HTTP, FTP, SMTP and de facto standard middleware protocols.

AONS differs from middleware products running on general-purpose computing systems in that AONS' behavior is more akin to a network appliance, in its simplicity, total cost of ownership and performance. Furthermore, AONS integrates with network-layer support to provide a more holistic approach to information flow and management, mapping required features at the application layer into low-level networking features implemented by routers, switches, firewalls and other networking systems.

AONS provides a framework for broader functional support, a broader class of applications and a greater degree of control and management of application data.

3.5.2 AONS Terminology

An “application” is a software entity that performs a business function either running on servers or desktop systems. The application could be a packaged application, software running on application servers, a legacy application running on a mainframe, or custom or proprietary software developed in house to satisfy a business need or a script that performs some operation. These applications can communicate with other applications in the same department (departmental), across departments within a single enterprise (intra enterprise), across an enterprise and its partners (inter-enterprise or B2B) or an enterprise and its customers (consumers or B2C). AONS provides value added services for any of the above scenarios.

An “application message” is a message that is generated by an application to communicate with another application. The application message could specify the different business level steps that should be performed in handling this message and could be in any of the message formats described in the section below. In the rest of the document, unless otherwise specified explicitly, the term “message” also refers to an application message.

An “AONS node” is the primary AONS component within the AONS system (or network). As described later, the AONS node can take the shape of a client proxy, server proxy or an intermediate device that routes application messages. There may be multiple AONS nodes across the network performing different functions of which some may be federated.

Each application message, when received by the first AONS node, gets assigned an AONS message ID and is considered to be an “AONS message” until that message gets delivered to the destination AONS node. The concept of the AONS message exists within the AONS cloud. A single application message may map to more than one AONS message. This may be the case, for example, if the application message requires processing by more than one business function. For example, a “LoanRequest” message that is submitted by a requesting application and that needs to be processed by both a “CreditCheck” application and a “LoanProcessing” application would require processing by more than one business function. In this example, from the perspective of AONS, there are two AONS messages: The “LoanRequest” to the “CreditCheck” AONS message from the requesting application to the CreditCheck application; and the “LoanRequest” to the “LoanProcessing” AONS message from the CreditCheck application to the LoanProcessing Application.

In one embodiment, AONS messages are encapsulated in an AONP (AON Protocol) message that contains AONP headers, and are translated to a “canonical” format. AONP is a mechanism to enable federation between two or more AONS nodes. For example, a first AONS node may know that it is acting in conjunction with a second or other AONS node; thus the AONS nodes are “federated.” The first AONS node might have performed one or more actions, such as encryption, signing, authentication, etc., relative to a particular message. The first AONS node may indicate, in one or more AONP headers, the actions that the first AONS node performed. Upon receiving the AONP message, the second AONS node may determine from the AONP headers that the actions have been performed. As a result, the second AONS node may forego performing those actions, or perform other functions in an efficient and optimal way. Reliability, logging and security services are provided from an AONS message perspective.

The set of protocols or methods that applications typically use to communicate with each other are called “application access protocols” (or methods) from an AONS perspective. Applications can communicate to the AONS network (typically end point proxies: a client proxy and a server proxy) using any supported application access methods. Some examples of application access protocols include: IBM MQ Series, Java Message Service (JMS), TIBCO, Simple Object Access Protocol (SOAP) over Hypertext Transfer Protocol (HTTP)/HTTPS, Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), Java Database Connectivity (JDBC), TCP, etc. Details about various access methods are explained in later sections of this document.

There are a wide variety of “message formats” that are used by applications. These message formats may range from custom or proprietary formats to industry-specific formats to standardized formats. Extensible Markup Language (XML) is gaining popularity as a universal language or message format for applications to communicate with each other. AONS supports a wide variety of these formats.

In addition, in one embodiment, AONS provides content translation services from one format to another based on the needs of applications. A typical deployment might involve a first AONS node that receives an application message (the client proxy) translating the message to a “canonical” format, which is carried as an AONS message through the AONS network. The server proxy might translate the message from the “canonical” format to the format understood by the receiving application before delivering the message. However, proxies are not required. For understanding some of the non-industry standard formats, a message dictionary may be used.

A node that performs the gateway functionality between multiple application access methods or protocols is called a “protocol gateway.” An example of this would be a node that receives an application message through File Transfer Protocol (FTP) and sends the same message to another application as a HTTP post. In AONS, the client and server proxies are typically expected to perform the protocol gateway functionality.

If an application generates a message in Electronic Data Interchange (EDI) format and if the receiving application expects the message to be in an XML format, then the message format needs to be translated but the content of the message needs to be kept intact through the translation. In AONS, the end point proxies typically perform this “message format translation” functionality.

In some cases, AONS may filter, modify, combine, split a message content into multiple messages or a single message.

In some cases, even though the sending and receiving application use the same message format, the content needs to be translated for the receiving application. For example, if a United States-resident application is communicating with a United Kingdom-resident application, then the date format in the messages between the two applications might need to be translated (from mm/dd/yyyy to dd/mm/yyyy) even if the applications use the same data representation (or message format). This translation is called “content translation.”

3.5.3 AONS Functional Overview

As defined previously, AONS can be defined as network-based intelligent intermediary systems that efficiently and effectively integrate business and application needs with more flexible and responsive network services.

In particular, AONS can be understood through the following characteristics:

AONS operates at a higher layer (layers 5-6) than traditional network element products (layers 2-4). AONS uses message-level inspection as a complement to packet-level inspection—by understanding application messages, AONS adds value to multiple network element products, such as switches, firewalls, content caching systems and load balancers, on the “message exchange route.” AONS provides increased flexibility and granularity of network responsiveness in terms of security, reliability, traffic optimization (compression, caching), visibility (business events and network events) and transformation (e.g., from XML to EDI).

AONS is a comprehensive technology platform, not just a point solution. AONS can be implemented through distributed intelligent intermediary systems that sit between applications, middleware, and databases in a distributed intra- and inter-enterprise environment (routing messages, performing transformations, etc.). AONS provides a flexible framework for end user configuration of business flows and policies and partner-driven extensibility of AONS services.

AONS is especially well suited for network-based deployment. AONS is network-based rather than general-purpose server-based. AONS is hybrid software-based and hardware-based (i.e., application-specific integrated circuit (ASIC)/field programmable gate array (FPGA)-based acceleration). AONS uses out-of-band or in-line processing of traffic, as determined by policy. AONS is deployed in standalone products (network appliances) as well as embedded products (service blades for multiple switching, routing, and storage platforms).

3.5.4 AONS System Overview

This section outlines the system overview of an example AONS system.FIG. 7 is a diagram700 that illustrates the various components involved in anexample AONS network702 according to one embodiment of the invention. The roles performed by each of the nodes are mentioned in detail in subsequent sections.

WithinAONS network702, key building blocks include AONS Endpoint Proxies (AEPs)704-710, which are located at the edge of the AONS network and serve as the entry and exit points, and an AONS Router (AR), which is located within the AONS network. Visibility into application intent may begin withinAEP704 placed at the edge of a logical AONS “cloud.” As a particular client application ofclient applications714A-N attempts to send a message across the network to a particular server application destination of server applications716A-N and718A-N, the particular client application will first interact withAEP704.

AEP

704 serves as either a transparent or explicit messaging gateway which aggregates network packets into application messages and infers the message-level intent by examining the header and payload of a given message, relating the message to the appropriate context, optionally applying appropriate policies (e.g. message encryption, transformation, etc.) and then routing the message towards the message's application destination via a network switch.

AONS Router (AR)712 may intercept the message en route to the message's destination endpoint. Based upon message header contents,AR712 may determine that a new route would better serve the needs of a given application system.AR712 may make this determination based upon enterprise-level policy, taking into account current network conditions. As the message nears its destination, the message may encounterAEP706, which may perform a final set of operations (e.g. message decryption, acknowledgement of delivery) prior to the message's arrival. In one embodiment, each message is only parsed once: when the message first enters the AONS cloud. It is the first AEP that a message traverses that is responsible for preparing a message for optimal handling within the underlying network.

AEPs704-708 can further be classified into AEP Client Proxies and AEP Server Proxies to explicitly highlight roles and operations performed by the AEP on behalf of the specific end point applications.

A typical message flow involves aparticular client application714A submitting a message to the AEP Client Proxy (CP)704 through one of the various access protocols supported by AONS. On receiving this message,AEP CP704 assigns an AONS message id to the message, encapsulates the message with an AONP header, and performs any necessary operations related to the AONS network (e.g. security and reliability services). Also, if necessary, the message is converted to a “canonical” format byAEP CP704. The message is carried over a TCP connection toAR710 along the path to thedestination application718A. The AONS routers or switches along the path perform the infrastructure services necessary for the message and can change the routing based on the policies configured by the customer. The message is received at the destination AEP Server Proxy (SP)706.AEP SP706 performs necessary security and reliability functions and translates the message to the format that is understood by the receiving application, if necessary.AEP SP706 then sends the message to receivingapplication718A using any of the access protocols thatapplication718A and AONS support. A detailed message flow throughAONS network702 is described in later sections.

The message processing described herein may be performed with respect to the content of different kinds of messages that an AONS node may encounter. AONS nodes may process request messages, response messages, messages that called out from an AONS node or that are brought into an AONS node, or exception messages; AONS nodes may process contents of messages beyond those or the type that are sent between client and server applications. For example, in response to intercepting a message from a client application, an AONS node may generate and send another message to a database server. The AONS may subsequently receive yet another message from the database server. The AONS node may perform message processing in the manner described herein on any of the messages mentioned above, not just on the messages from the client.

An AONS node may perform specified actions in response to determining that the delivery of a message will cause a failure. For example, an AONS node may determine that a message is larger than the maximum size that can be accepted by a server application for which the message is destined. In response, the AONS node may prevent the message from being forwarded to the server application. Instead, the AONS node may log the message for later inspection by an administrator. For another example, in response to determining that a message contains a virus or other malignant content, an AONS node may “inoculate” the message (e.g., by encrypting and/or compressing the message content), and then store the “inoculated” message in a log for later inspection by an administrator.

3.5.5 AONS System Elements

This section outlines the different concepts that are used from an AONS perspective.

An “AEP Client Proxy” is an AONS node that performs the services necessary for applications on the sending side of a message (a client). In the rest of this document, an endpoint proxy also refers to a client or server proxy. Although AONS nodes may fulfill the roles of proxies, they are typically not designated as such; “AEP proxy” is a term used to define a role. The typical responsibilities of the client proxy in processing a message are: message pre-classification & early rejection, protocol management, message identity management, message encapsulation in an AONP header, end point origination for reliable delivery, security end point service origination (encryption, digital signature, authentication), flow selection & execution/infrastructure services (logging, compression, content transformation, etc.), routing—next hop AONS node or destination, AONS node and route discovery/advertising role and routes, and end point origination for the reliable delivery mechanism (guaranteed delivery router).

Not all functionalities described above need to be performed for each message. The functionalities performed on the message are controlled by the policies configured for the AONS node.

An “AEP Server Proxy” is an AONS node that performs the services necessary for applications on the receiving side of a message (a server). In the rest of the document, a Server Proxy may also be referred as an end point proxy. The typical responsibilities of the Server Proxy in processing a message are: protocol management, end point termination for reliable delivery, security end point service termination (decryption, verification of digital signature, etc.), flow selection & execution/infrastructure services (logging, compression, content translation, etc.), message de-encapsulation in AONP header, acknowledgement to sending AONS node, application routing/request message delivery to destination, response message correlation, and routing to entry AONS node.

Note that not all the functionalities listed above need to be performed for each message. The functionalities performed on the message are controlled by the policies configured for the AONS node and what the message header indicates.

An “AONS Router” is an AONS node that provides message-forwarding functionalities along with additional infrastructure services within an AONS network. An AONS Router communicates with Client Proxies, Server Proxies and other AONS Routers. An AONS Router may provide service without parsing a message; an AONS Router may rely on an AONP message header and the policies configured in the AONS network instead of parsing messages. An AONS Router provides the following functionalities: scalability in the AONS network in terms of the number of TCP connections needed; message routing based on message destination, policies configured in the AONS cloud, a route specified in the message, and/or content of the message; a load at the intended destination—re-routing if needed; availability of the destination—re-routing if needed; cost of transmission (selection among multiple service providers); and infrastructure services such as sending to a logging facility, sending to a storage area network (SAN) for backup purposes, and interfacing to a cache engine for cacheable messages (like catalogs).

AONS Routers do not need to understand any of the application access protocols and, in one embodiment, deal only with messages encapsulated with an AONP header.

Application-Oriented Networking Protocol (AONP) is a protocol used for communication between the nodes in an AONS network. In one embodiment, each AONS message carries an AONP header that conveys the destination of the message and additional information for processing the message in subsequent nodes. AONP also addresses policy exchange (static or dynamic), fail-over among nodes, load balancing among AONS nodes, and exchange of routing information. AONP also enables application-oriented message processing in multiple network elements (like firewalls, cache engines and routers/switches). AONP supports both a fixed header and a variable header (formed using type-length-value (TLV) fields) to support efficient processing in intermediate nodes as well as flexibility for additional services.

Unless explicitly specified otherwise, “router” or “switch” refers herein to atypical Layer 3 orLayer 2 switch or a router that is currently commercially available.

3.5.6 AONS Example Features

In one embodiment, an underlying “AONS foundation platform of subsystem services” (AOS) provides a range of general-purpose services including support for security, compression, caching, reliability, policy management and other services. On top of this platform, AONS then offers a range of discreet functional components that can be wired together to provide the overall processing of incoming data traffic. These “bladelets™” are targeted at effecting individual services in the context of the specific policy or action demanded by the application or the information technology (IT) manager. A series of access method adaptors ensure support for a range of ingress and egress formats. Finally, a set of user-oriented tools enable managers to appropriately view, configure and set policies for the AONS solution. These four categories of functions combine to provide a range of end-customer capabilities including enhanced security, infrastructure optimization, business continuity, application integration and operational visibility.

The enhanced visibility and enhanced responsiveness enabled by AONS solutions provides a number of intelligent, application-oriented network services. These intelligent services can be summarized in four primary categories:

Enhanced security and reliability: enabling reliable message delivery and providing message-level security in addition to existing network-level security.

Infrastructure optimization: making more efficient use of network resources by taking advantage of caching and compression at the message level as well as by integrating application and network quality-of-service (QoS).

Business and infrastructure activity monitoring and management: by reading information contained in the application layer message, AONS can log, audit, and manage application-level business events, and combine these with network, server, and storage infrastructure events in a common, policy-driven management environment.

Content-based routing and transformation: message-based routing and transformation of protocol, content, data, and message formats (e.g., XML transformation). The individual features belonging to each of these primary categories are described in greater detail below.

3.5.6.1 Enhanced Security and Reliability

Authentication: AONS can verify the identity of the sender of an inbound message based upon various pieces of information contained within a given message (username/password, digital certificate, Security Assertion Markup Language (SAML) assertion, etc.), and, based upon these credentials, determine whether or not the message should be processed further.

Authorization: Once principal credentials are obtained via message inspection, AONS can determine what level of access the originator of the message should have to the services it is attempting to invoke. AONS may also make routing decisions based upon such derived privileges or block or mask certain data elements within a message once it's within an AONS network as appropriate.

Encryption/Decryption: Based upon policy, AONS can perform encryption of message elements (an entire message, the message body or individual elements such as credit card number) to maintain end-to-end confidentiality as a message travels through the AONS network. Conversely, AONS can perform decryption of these elements prior to arrival at a given endpoint.

Digital Signatures: In order to ensure message integrity and allow for non-repudiation of message transactions, AONS can digitally sign entire messages or individual message elements at any given AEP. The decision as to what gets signed will be determined by policy as applied to information derived from the contents and context of each message.

Reliability: AONS can complement existing guaranteed messaging systems by intermediating between unlike proprietary mechanisms. It can also provide reliability for HTTP-based applications (including web services) that currently lack reliable delivery. As an additional feature, AONS can generate confirmations of successful message delivery as well as automatically generate exception responses when delivery cannot be confirmed.

3.5.6.2 Infrastructure Optimization

Compression and stream-based data extraction: AEPs can compress message data prior to sending the message data across the network in order to conserve bandwidth and conversely decompress it prior to endpoint delivery. AEPs can also extract data to perform message classification without waiting for the whole message to be read in.

Caching: AONS can cache the results of previous message inquires based upon the rules defined for a type of request or based upon indicators set in the response. Caching can be performed for entire messages or for certain elements of a message in order to reduce application response time and conserve network bandwidth utilization. Message element caching enables delta processing for subsequent message requests.

TCP Connection Pooling: By serving as an intermediary between message clients and servers AONS can consolidate the total number of persistent connections required between applications. AONS thereby reduces the client and server-processing load otherwise associated with the ongoing initiation and teardown of connections between a mesh of endpoints.

Batching: An AONS intermediary can batch transactional messages destined for multiple destinations to reduce disk I/O overheads on the sending system. Similarly, transactional messages from multiple sources can be batched to reduce disk I/O overheads on the receiving system.

Hardware Acceleration: By efficiently performing compute-intensive functions such as encryption and Extensible Stylesheet Language Transformation (XSLT) transformations in an AONS network device using specialized hardware, AONS can offload the computing resources of endpoint servers, providing potentially lower-cost processing capability.

Quality of Service: AONS can integrate application-level QoS with network-level QoS features based on either explicit message prioritization (e.g., a message tagged as “high priority”) or via policy that determines when a higher quality of network service is required for a message as specific message content is detected.

Policy Enforcement: At the heart of optimizing the overall AONS solution is the ability to ensure business-level polices are expressed, implemented and enforced by the infrastructure. The AONS Policy Manager ensures that once messages are inspected, the appropriate actions (encryption, compression, routing, etc.) are taken against that message as appropriate.

3.5.6.3 Activity Monitoring and Management

Auditing/Logging/Metering: AONS can selectively filter messages and send them to a node or console for aggregation and subsequent analysis. Tools enable viewing and analysis of message traffic. AONS can also generate automatic responses to significant real-time events, both business and infrastructure-related. By intelligently gathering statistics and sending them to be logged, AONS can produce metering data for auditing or billing purposes.

Management: AONS can combine both message-level and network infrastructure level events to gain a deeper understanding of overall system health. The AONS management interface itself is available as a web service for those who wish to access it programmatically.

Testing and Validation: AONS' ability to intercept message traffic can be used to validate messages before allowing them to reach destination applications. In addition to protecting from possible application or server failures, this capability can be leveraged to test new web services and other functions by examining actual message flow from clients and servers prior to production deployment. AONS also provides a “debug mode” that can be turned on automatically after a suspected failure or manually after a notification to assist with the overall management of the device.

Workload Balancing and Failover: AONS provides an approach to workload balancing and failover that is both policy- and content-driven. For example, given an AONS node's capability to intermediate between heterogeneous systems, the AONS node can balance between unlike systems that provide access to common information as requested by the contents of a message. AONS can also address the issue of message affinity necessary to ensure failover at the message rather than just the session level as is done by most existing solutions. Balancing can also take into account the response time for getting a message reply, routing to an alternate destination if the preferred target is temporarily slow to respond.

Business Continuity: By providing the ability to replicate inbound messages to a remote destination, AONS enables customers to quickly recover from system outages. AONS can also detect failed message delivery and automatically re-route to alternate endpoints. AONS AEPs and ARs themselves have built-in redundancy and failover at the component level and can be clustered to ensure high availability.

3.5.6.4 Content-Based Routing and Transformation

Content-based Routing: Based upon its ability to inspect and understand the content and context of a message, AONS provides the capability to route messages to an appropriate destination by matching content elements against pre-established policy configurations. This capability allows AONS to provide a common interface (service virtualization) for messages handled by different applications, with AONS examining message type or fields in the content (part number, account type, employee location, customer zip code, etc.) to route the message to the appropriate application. This capability also allows AONS to send a message to multiple destinations (based on either statically defined or dynamic subscriptions to message types or information topics), with optimal fan-out through AONS routers. This capability further allows AONS to redirect all messages previously sent to an application so that it can be processed by a new application. This capability additionally allows AONS to route a message for a pre-processing step that is deemed to be required before receipt of a message (for example, introducing a management pre-approval step for all travel requests). This capability also allows AONS to route a copy of a message that exceeds certain criteria (e.g. value of order) to an auditing system, as well as forwarding the message to the intended destination. This capability further allows AONS to route a message to a particular server for workload or failover reasons. This capability also allows AONS to route a message to a particular server based on previous routing decisions (e.g., routing a query request based on which server handled for the original order). This capability additionally allows AONS to route based on the source of a message. This capability also allows AONS to route a message through a sequence of steps defined by a source or previous intermediary.

Message Protocol Gateway: AONS can act as a gateway between applications using different transport protocols. AONS supports open standard protocols (e.g. HTTP, FTP, SMTP), as well as popular or de facto standard proprietary protocols such as IBM MQ and JMS.

Message Transformations: AONS can transform the contents of a message to make them appropriate for a particular receiving application. This can be done for both XML and non-XML messages, the latter via the assistance of either a message dictionary definition or a well-defined industry standard format.

3.5.7 AONS Functional Modules

FIG. 8 is a block diagram that depicts functional modules within an example AONS node.AONS node800 comprises AOS configuration andmanagement module802, flows/rules804, AOScommon services806, AOSmessage execution controller808, AOSprotocol access methods810, and AOS platform-specific “glue”812.AONS node800 interfaces with Internetworking Operating System (IOS)814 andLinux Operating System816. Flows/rules804 comprise bladelets™818,scriptlets™820, andscriptlet™ container822.

In one embodiment, AOScommon services806 include: security services, standard compression services, delta compression services, caching service, message logging service, policy management service, reliable messaging service, publish/subscribe service, activity monitoring service, message distribution service, XML parsing service, XSLT transformation service, and QoS management service.

In one embodiment, AOS protocol/access methods810 include: TCP/SSL, HTTP/HTTPS, SOAP/HTTP, SMTP, FTP, JMS/MQ and JMS/RV, and Java Database Connectivity (JDBC).

In one embodiment, AOSmessage execution controller808 includes: an execution controller, a flow subsystem, and a bladelet™ subsystem.

In one embodiment, AOS bladelets™818 andscriptlets™820 include: message input (read message), message output (send message), logging/audit, decision, external data access, XML parsing, XML transformation, caching, scriptlet container, publish, subscribe, message validation (schema, format, etc.), filtering/masking, signing, authentication, authorization, encryption, decryption, activity monitoring sourcing, activity monitoring marking, activity monitoring processing, activity monitoring notification, message discard, firewall block, firewall unblock, message intercept, and message stop-intercept.

In one embodiment, AOS configuration andmanagement module802 includes: configuration, monitoring, topology management, capability exchange, failover redundancy, reliability/availability/serviceability (RAS) services (tracing, debugging, etc.), archiving, installation, upgrades, licensing, sample scriptlets™, sample flows, documentation, online help, and language localization.

In one embodiment, supported platforms include: Cisco Catalyst6503, Cisco Catalyst6505, Cisco Catalyst6509, and Cisco Catalyst6513. These products are typically deployed in data centers. Other products, such as “branch office routers” (e.g., the Cisco Volant router series) and “edge routers” are also supported. In one embodiment, supported supervisor modules include: Sup2 and Sup720. In one embodiment, specific functional areas relating to the platform include: optimized TCP, SSL, public key infrastructure (PM), encryption/decryption, interface to Cat6K supervisor, failover/redundancy, image management, and QoS functionality. Although some embodiments of the invention are described herein with reference to PMI keys, embodiments of the invention are not limited to PMI keys. Other keys and/or tokens, such as Kerberos tokens and/or PGP tokens, may be used in conjunction with embodiments of the invention.

In one embodiment, cryptographic key distribution and processing is controlled by user-specified policies that are stored, with the keys, at a central console called an AMC. The policies may state, for example, that different kinds of keys are to be used to encrypt/decrypt/sign different kinds of data traffic. Keys may be associated with policies. The AMC may automatically distribute the key-to-policy associations to user-specified AONS nodes.

3.5.8 AONS Modes of Operation

AONS may be configured to run in multiple modes depending on application integration needs, and deployment scenarios. According to one embodiment, the primary modes of operation include implicit mode, explicit mode, and proxy mode. In implicit mode, an AONS node transparently intercepts relevant traffic with no changes to applications. In explicit mode, applications explicitly address traffic to an intermediary AONS node. In proxy mode, applications are configured to work in conjunction with AONS nodes, but applications do not explicitly address traffic to AONS nodes.

In implicit mode, applications are unaware of AONS presence. Messages are addressed to receiving applications. Messages are redirected to AONS via configuration of application “proxy” or middleware systems to route messages to AONS, and/or via configuration of networks (packet interception). For example, domain name server (DNS)-based redirection could be used to route messages. For another example, a 5-tuple-based access control list (ACL) on a switch or router could be used. Network-based application recognition and content switching modules may be configured for URL/URI redirection. Message-based inspection may be used to determine message types and classifications. In implicit mode, applications communicate with each other using AONS as an intermediary (implicitly), using application-native protocols.

Traffic redirection, message classification, and “early rejection” (sending traffic out of AONS layers prior to complete processing within AONS layers) may be accomplished via a variety of mechanisms, such as those depicted inFIG. 9.FIG. 9 shows multiple tiers of filtering that may be performed on message traffic in order to produce only a select set of traffic that will be processed at the AONS layer. Traffic that is not processed at the AONS layer may be treated as any other traffic.

At the lowest layer,layer902, all traffic passes through. At the next highest layer,layer904, traffic may be filtered based on 5-tuples. A supervisor blade or a network operating system such as Internetwork Operating System (IOS) may perform such filtering. Traffic that passes the filters atlayer904 passes to layer906. Atlayer906, traffic may be further filtered based on network-based application recognition-like filtering and/or message classification and rejection. Traffic that passes the filters atlayer906 passes to layer908. Atlayer908, traffic may be further filtered based on protocol headers. For example, traffic may be filtered based on URLs/URIs in the traffic. Traffic that passes the filters atlayer908 passes to layer910. Atlayer910, traffic may be processed based on application layer messages, include headers and contents. For example, XPath content identification technology within messages may be used to process traffic atlayer910. An AONS blade may perform processing atlayer910. Thus, a select subset of all network traffic may be provided to an AONS blade.

In explicit mode, applications are aware of AONS presence. Messages are explicitly addressed to AONS nodes. Applications may communicate with AONS using AONP. AONS may perform service virtualization and destination selection.

In proxy mode, applications are explicitly unaware of AONS presence. Messages are addressed to their ultimate destinations (i.e., applications). However, client applications are configured to direct traffic via a proxy mode.

3.5.9 AONS Message Routing

Components of message management in AONS may be viewed from two perspectives: a node view and a cloud view.

FIG. 10 is a diagram that illustrates the path of a message within an AONS cloud1010 according to a cloud view. A client application1004 sends a message to an AONS Client Proxy (CP)1006. If AONS CP1006 is not present, then client application1004 may send the message to an AONS Server Proxy (SP)1008. The message is processed at AONS CP1006. AONS CP1006 transforms the message into AONP format if the message is entering AONS cloud1010.

Within AONS cloud1010, the message is routed using AONP. Thus, using AONP, the message may be routed from AONS CP1006 to anAONS router1012, or from AONS CP1006 to AONS SP1008, or fromAONS router1012 to another AONS router, or fromAONS router1012 to AONS SP1008. Messages processed at AONS nodes are processed in AONP format.

When the message reaches AONS SP1008, AONS SP1008 transforms the message into the message format used by server application1014. AONS SP1008 routes the message to server application1014 using the message protocol of server application1014. Alternatively, if AONS SP1008 is not present, AONS CP1006 may route the message to server application1014.

The details of the message processing within AONS cloud1010 can be understood via the following perspectives: Request/Response Message Flow, One-Way Message Flow, Message Flow with Reliable Delivery, Node-to-Node Communication, and multicast publish-subscribe.

FIG. 11A andFIG. 11B are diagrams that illustrate a request/response message flow. Referring toFIG. 11A, atcircumscribed numeral1, a sendingapplication1102 sends a message towards a receivingapplication1104. At circumscribednumeral2, anAEP CP1106 intercepts the message and adds an AONP header to the message, forming an AONP message. At circumscribednumeral3,AEP CP1106 sends the AONP message to anAONS router1108. At circumscribednumeral4,AONS router1108 receives the AONP message. At circumscribednumeral5,AONS router1108 sends the AONP message to anAEP SP1110. At circumscribednumeral6,AEP SP1110 receives the AONP message and removes the AONP header from the message, thus decapsulating the message. At circumscribednumeral7,AEP SP1110 sends the message to receivingapplication1104.

Referring toFIG. 11B, atcircumscribed numeral8, receivingapplication1104 sends a response message toward sendingapplication1102. At circumscribednumeral9,AEP SP1110 intercepts the message and adds an AONP header to the message, forming an AONP message. At circumscribednumeral10,AEP SP1110 sends the AONP message toAONS router1108. At circumscribednumeral11,AONS router1108 receives the AONP message. At circumscribednumeral12,AONS router1108 sends the AONP message toAEP CP1106. At circumscribednumeral13,AEP CP1106 receives the AONP message and removes the AONP header from the message, thus decapsulating the message. At circumscribednumeral14,AEP CP1106 sends the message to sendingapplication1102. Thus, a request is routed from sendingapplication1102 to receivingapplication1104, and a response is routed from receivingapplication1104 to sendingapplication1102.

FIG. 12A andFIG. 12B are diagrams that illustrate alternative request/response message flows.FIG. 12A shows three possible routes that a message might take from a sendingapplication1202 to areceiving application1204. According to a first route, sendingapplication1202 sends the message toward receivingapplication1204, but anAEP CP1206 intercepts the message and sends the message to receivingapplication1204. According to a second route, sendingapplication1202 sends the message toward receivingapplication1204, butAEP CP1206 intercepts the message, encapsulates the message within an AONP message, and sends the AONP message to anAEP SP1208, which decapsulates the message from the AONP message and sends the message to receivingapplication1204. According to a third route, sendingapplication1202 sends the message toward receivingapplication1204, butAEP SP1208 intercepts the message and sends the message to receivingapplication1204.

FIG. 12B shows three possible routes that a response message might take from receivingapplication1204 to sendingapplication1202. According to a first route, receivingapplication1204 sends the message toward sendingapplication1202, butAEP CP1206 intercepts the message and sends the message to sendingapplication1204. According to a second route, receivingapplication1204 sends the message toward sendingapplication1202, butAEP SP1208 intercepts the message, encapsulates the message within an AONP message, and sends the AONP message toAEP CP1206, which decapsulates the message from the AONP message and sends the message to sendingapplication1202. According to a third route, receivingapplication1204 sends the message toward sendingapplication1202, butAEP SP1208 intercepts the message and sends the message to sendingapplication1202.

FIG. 14 is a diagram that illustrates alternative one-way message flows.FIG. 14 shows three possible routes that a message might take from a sendingapplication1402 to areceiving application1404. According to a first route, sendingapplication1402 sends the message toward receivingapplication1404, but anAEP CP1406 intercepts the message and sends the message to receivingapplication1404.AEP CP1406 sends an ACK (acknowledgement) to sendingapplication1402. According to a second route, sendingapplication1402 sends the message toward receivingapplication1404, butAEP CP1406 intercepts the message, encapsulates the message within an AONP message, and sends the AONP message to anAEP SP1408, which decapsulates the message from the AONP message and sends the message to receivingapplication1404. Again,AEP CP1406 sends an ACK to sendingapplication1402. According to a third route, sendingapplication1402 sends the message toward receivingapplication1404, butAEP SP1408 intercepts the message and sends the message to receivingapplication1404. In this case,AEP SP1408 sends an ACK to sendingapplication1402. Thus, when an AEP intercepts a message, the intercepting AEP sends an ACK to the sending application.

According to one embodiment, AONP is used in node-to-node communication with the next hop. In one embodiment, AONP uses HTTP. AONP headers may include HTTP or TCP headers. AONP may indicate RM ACK, QoS level, message priority, and message context (connection, message sequence numbers, message context identifier, entry node information, etc.). The actual message payload is in the message body. Asynchronous messaging may be used between AONS nodes. AONS may conduct route and node discovery via static configuration (next hop) and/or via dynamic discovery and route advertising (“lazy” discovery).

FIG. 15A andFIG. 15B are diagrams that illustrate a request/response message flow with reliable message delivery. Referring toFIG. 15A, atcircumscribed numeral1, a sendingapplication1502 sends a message towards a receivingapplication1504. At circumscribednumeral2, anAEP CP1506 intercepts the message and adds an AONP header to the message, forming an AONP message. At circumscribednumeral3,AEP CP1506 saves the message to adata store1512. Thus, if there are any problems with sending the message,AEP CP1506 can resend the copy of the message that is stored indata store1512.

At circumscribednumeral4,AEP CP1506 sends the AONP message to anAONS router1508. At circumscribednumeral5,AONS router1508 receives the AONP message. At circumscribednumeral6,AONS router1508 sends the AONP message to anAEP SP1510. At circumscribednumeral7,AEP SP1510 receives the AONP message and removes the AONP header from the message, thus decapsulating the message. At circumscribednumeral8,AEP SP1510 sends the message to receivingapplication1504.

At circumscribednumeral9,AEP SP1510 sends a reliable messaging (RM) acknowledgement (ACK) toAONS router1508. At circumscribednumeral10,AONS router1508 receives the RM ACK and sends the RM ACK toAEP CP1506. At circumscribednumeral11,AEP CP1506 receives the RM ACK and, in response, deletes the copy of the message that is stored indata store1512. Because the delivery of the message has been acknowledged, there is no further need to store a copy of the message indata store1512. Alternatively, ifAEP CP1506 does not receive the RM ACK within a specified period of time, thenAEP CP1506 resends the message.

Referring toFIG. 15B, at circumscribednumeral12, receivingapplication1504 sends a response message toward sendingapplication1502. At circumscribednumeral13,AEP SP1510 intercepts the message and adds an AONP header to the message, forming an AONP message. At circumscribednumeral14,AEP SP1510 sends the AONP message toAONS router1508. At circumscribednumeral15,AONS router1508 receives the AONP message. At circumscribednumeral16,AONS router1508 sends the AONP message toAEP CP1506. At circumscribednumeral17,AEP CP1506 receives the AONP message and removes the AONP header from the message, thus decapsulating the message. At circumscribednumeral18,AEP CP1506 sends the message to sendingapplication1502.

At circumscribednumeral10,AEP SP1610 sends a reliable messaging (RM) acknowledgement (ACK) toAONS router1608. At circumscribednumeral11,AONS router1608 receives the RM ACK and sends the RM ACK toAEP CP1606. At circumscribednumeral12,AEP CP1606 receives the RM ACK and, in response, deletes the copy of the message that is stored indata store1612. Because the delivery of the message has been acknowledged, there is no further need to store a copy of the message indata store1612. Alternatively, ifAEP CP1606 does not receive the RM ACK within a specified period of time, thenAEP CP1606 resends the message. If the resend is not successful within a timeout period, a “delivery-failure” notification message will be send to the original sending application.

FIG. 17 is a diagram that illustrates synchronous request and response messages. At circumscribednumeral1, anAONS node1704 receives, from aclient1702, a request message, in either implicit or explicit mode. At circumscribednumeral2,AONS node1704 reads the message, selects and executes a flow, and adds an AONP header to the message. At circumscribednumeral3,AONS node1704 sends the message to a next hop node,AONS node1706. At circumscribednumeral4,AONS node1706 reads the message, selects and executes a flow, and removes the AONP header from the message, formatting the message according to the message format expected by aserver1708. At circumscribednumeral5,AONS node1706 sends the message to the message's destination,server1708.

At circumscribednumeral6,AONS node1706 receives a response message fromserver1708 on the same connection on whichAONS node1706 sent the request message. At circumscribednumeral7,AONS node1706 reads the message, correlates the message with the request message, executes a flow, and adds an AONP header to the message. At circumscribednumeral8,AONS node1706 sends the message toAONS node1704. At circumscribednumeral9,AONS node1704 reads the message, correlates the message with the request message, executes a flow, and removes the AONP header from the message, formatting the message according to the message format expected byclient1702. At circumscribednumeral10,AONS node1704 sends the message toclient1702 on the same connection on whichclient1702 sent the request message toAONS node1704.

FIG. 18 is a diagram that illustrates a sample one-way end-to-end message flow. At circumscribednumeral1, anAONS node1804 receives, from aclient1802, a request message, in either implicit or explicit mode. At circumscribednumeral2,AONS node1804 reads the message, selects and executes a flow, and adds an AONP header to the message. At circumscribednumeral3,AONS node1804 sends an acknowledgement toclient1802. At circumscribednumeral4,AONS node1804 sends the message to a next hop node,AONS node1806. At circumscribednumeral5,AONS node1806 reads the message, selects and executes a flow, and removes the AONP header from the message, formatting the message according to the message format expected by aserver1808. At circumscribednumeral6,AONS node1806 sends the message to the message's destination,server1808.

According to the node view, the message lifecycle within an AONS node, involves ingress/egress processing, message processing, message execution control, and flow execution.

FIG. 19 is a diagram that illustrates message-processing modules within anAONS node1900.AONS node1900 comprises an AONS message execution controller (AMEC)framework1902, apolicy management subsystem1904, an AONS messageprocessing infrastructure subsystem1906, and anAOSS1908.AMEC framework1902 comprises aflow management subsystem1910, a bladelet™ execution subsystem1912, and amessage execution controller1914.Policy management subsystem1904 communicates withflow management subsystem1910.AOSS1908 communicates with bladelet™ execution subsystem1912 and AONS messageprocessing infrastructure subsystem1906. AONS messageprocessing infrastructure subsystem1906 communicates withmessage execution controller1914.Flow management subsystem1910, bladelet™ execution subsystem, andmessage execution controller1914 all communicate with each other.

FIG. 20 is a diagram that illustrates message processing withinAONS node1900.AMEC framework1902 is an event-based multi-threaded mechanism to maximize throughput while minimizing latency for messages in the AONS node. According to one embodiment, received packets are re-directed, TCP termination is performed, SSL termination is performed if needed,Layer 5 protocol adapter and access method processing is performed (using access methods such as HTTP, SMTP, FTP, JMS/MQ, JMS/RV, JDBC, etc.), AONS messages (normalized message format for internal AONS processing) are formed, messages are queued, messages are dequeued based on processing thread availability, a flow (or rule) is selected, the selected flow is executed, the message is forwarded to the message's destination, and for request/response-based semantics, responses are handled via connection/session state maintained withinAMEC framework1902.

In one embodiment, executing the flow comprises executing each step (i.e., bladelet™/action) of the flow. If a bladelet™ is to be run within a separate context, thenAMEC framework1902 may enqueue into bladelet™-specific queues, and, based on thread availability, dequeue appropriate bladelet™ states from each bladelet™ queue.

3.5.10 Flows, Bladelets™, and Scriptlets™

According to one embodiment, flows string together bladelets™ (i.e., actions) to customize message processing logic. Scriptlets™ provide a mechanism for customers and partners to customize or extend native AONS functionality. Some bladelets™ and services may be provided with an AONS node.

3.5.11 AONS Services

As mentioned in the previous section, a set of core services may be provided by AONS to form the underlying foundation of value-added functionality that can be delivered via an AONS node. In one embodiment, these include: Security Services, Standard Compression Services, Delta Compression Services, Caching Service, Message Logging Service, Policy Management Service (Policy Manager), Reliable Messaging Service, Publish/Subscribe Service, Activity Monitoring Service, Message Distribution Service, XML Parsing Service, XSLT Transformation Service, and QoS Management Service. In one embodiment, each AONS core service is implemented within the context of a service framework.

3.5.12 AONS Configuration and Management

In one embodiment, an AONS node is provisioned and configured for a class of application messages, where it enforces the policies that are declaratively defined on behalf-of the application end-points, business-domains, security-domains, administrative domains, and network-domains. Furthermore, the AONS node promotes flexible composition and customization of different product functional features by means of configurability and extensibility of different software and hardware sub-systems for a given deployment scenario. Due to the application and network embodiments of the AONS functionality, the AONS architecture framework should effectively and uniformly address different aspects of configurability, manageability, and monitorability of the various system components and their environments.

The AONS Configuration and Management framework is based upon five functional areas (“FCAPS”) for network management as recommended by the ISO network management forum. The functional areas include fault management, configuration management, accounting management, performance management, and security management. Fault management is the process of discovering, isolating, and fixing the problems or faults in the AONS nodes. Configuration management is the process of finding and setting up the AONS nodes. Accounting management involves tracking usage and utilization of AONS resources to facilitate their proper usage. Performance management is the process of measuring the performance of the AONS system components and the overall system. Security management controls access to information on the AONS system. Much of the above functionality is handled via proper instrumentation, programming interfaces, and tools as part of the overall AONS solution.

FIG. 21,FIG. 22, andFIG. 23 are diagrams that illustrate entities within an AONS configuration and management framework. An AONS management console (AMC) is the centralized hub for configuration and management of AONS policies, flows, scriptlets™ and other manageable entities. Configurable data is pushed to the AMC from an AONS design studio (flow tool) and the AONS admin may then provision this data to the production deployment. A promotion process is also provided to test and validate changes via a development to staging/certification to production rollout process. An AONS management agent (AMA) resides on individual AONS blades and provides the local control and dispatch capabilities for AONS. The AMA interacts with the AMC to get updates. The AMA takes appropriate actions to implement changes. The AMA is also used for collecting monitoring data to report to third party consoles.

3.5.13 AONS Monitoring

In one embodiment, AONS is instrumented to support well-defined events for appropriate monitoring and visibility into internal processing activities. The monitoring of AONS nodes may be accomplished via a pre-defined JMX MBean agent that is running on each AONS node. This agent communicates with a remote JMX MBean server on the PC complex. An AONS MIB is leveraged for SNMP integration to third party consoles.FIG. 24 is a diagram that illustrates an AONS monitoring architecture.

3.5.14 AONS Tools

In one embodiment, the following tool sets are provided for various functional needs of AONS: a design studio, an admin studio, and a message log viewer. The design studio is a visual tool for designing flows and applying message classification and mapping policies. The admin studio is a web-based interface to perform all administration and configuration functions. The message log viewer is a visual interface to analyze message traffic, patterns, and trace information.

3.5.15 AONS Structured Application Message Processing

Having AONS in the data path of the network offers a unique ability to analyze and modify packets as they pass through the network. Network elements such as routers, switches, and bridges typically operate atlayers 4 and below of the OSI stack. An embodiment of the invention operates in the context of deeper content processing in a network element on behalf of applications running on end systems connected by a computer network or a network of networks.

One embodiment analyzes packet information as they pass through the AONS blade. As discussed above, the various protocol layers are first peeled away by the AONS blade to reveal the packet payload. The embodiment modifies any packet information needed before determining the packet destination. A packet may be routed to a destination that is different than the destination originally addressed in the packet. This is determined by the packet payload information.FIG. 26 illustrates anAONS router2600 with asupervisor blade2601 and anAONS blade2602 configured to analyze and route packets. Apacket2603A enters into therouter2600 throughport2606. Thesupervisor blade2601 sends thepacket2604 to theAONS blade2602. When theAONS blade2602 receives a packet, it determines whether or not that packet requires any application level processing and, if so, what kind of application level processing. It may have to perform some amount of deep processing of the message, beyond the normal layer 3-4 processing to make this determination.

TheAONS blade2602 analyzes the packet using pre-determined rules described in further detail below. TheAONS blade2602 may modify packet information based on the rules. Once the packet is analyzed to determine its classification, theAONS blade2602 routes thepacket2603A to the destination throughport2609. The destination may be different than the destination originally addressed in the packet. This may be due to the information parsed from the packet or the result of an operation that changed part of the packet information. The packet may also be stored on theAONS blade2602 for later use.

An embodiment analyzes any structured message packet. Structured message formats include XML, proprietary formats such as FIX, well-known structures such as tables, comma-separated values, etc.

FIG. 27 illustrates the steps taken when a structured message is received by an embodiment of the invention. The system processes the message for the purpose of determining how the message should be treated2701. An embodiment parses the message and selects certain parts of the message according to pre-defined rules for the particular type of message. It then compares the values of the selected parts of the message with entries in a pre-stored table. A matching entry in the table specifies a treatment to be applied to the message. The treatment is a sequence of operations that instruct the system as to a validation, transformation, modification, routing, or storage operations to be performed on the message. An example list of such operations for an XML message is discussed below.

The system then applies the specified sequence of operations to the message in a specifiedorder2702. For example, a certain sub-tree of the message may have to be extracted and replaced by a different sub-tree stored in the AONS blade or in an external database. Validation of the message can occur before the message is modified, although the two operations are not required to be performed in a particular sequence.

The system either sends the message out to one or more destinations (which may be specified in the table), or stores it in an internal or external database for later use (as specified by the last operation in the sequence)2703.

An embodiment of the invention is discussed below in the context of eXtensible Markup Language, or XML, formatted messages, but, as discussed above, other embodiments handle any type of structured message.

An XML message is structurally organized as a hierarchy or tree. The message consists of one or more “elements”. Each element may have a number of other items associated with it, such as “attributes”, “text value”, and special items such as namespace and processing instructions.

A beginning and an end indicator denote element boundaries. For example, the beginning of an element of name “Name” is indicated by <Name>, while the end of that element is indicated by </Name>. All items that occur within the two delimiters of an element are understood to be within that element's scope.

A “root” node in the tree represents an entire message. For example, any element X that occurs within the scope of another element Y is a descendent of Y; conversely, Y is an ancestor of X. If X is not the descendent of any other element within the scope of Y, then X is a child of Y; conversely, Y is the parent of X

One or more of the following operations can be performed on a message encoded in the XML format:

- Validate the correctness of the message.
  - A template for the message, either in the form of a Document Type Descriptor (DTD) or an XML schema is used for this purpose.
    - Such a template is either provided a priori, for example, through a provisioning interface to the AONS blade, or comes embedded within the XML message itself.
- Extract certain specified parts of the message.
- Transform certain specified parts of the message.
- Transform part of or the entire message.
  - Retain the content but change the format (for instance, from XML format to HTML format),
  - Change the content but retain the format.
    - Simple changes such as: changing a date form from dd-mm-yyyy to mm-dd-yyyy; or changing currency denominations, e.g., from US$ to euro.
    - In-place changes such as normalizing a name to 13 characters.
    - Local structural changes that replace a “sub-tree” of the message with a new sub-tree.
    - Global structural changes that impact the entire message.
  - Add additional information to the content (splicing).
    - This involves maintaining a database on the AONS blade that contains additional information that an administrator has instructed the AONS blade to add to a message given a set of criteria. The system examines the message contents and if criteria set by the administrator matches any specific parts of the message, then the system checks the database for information that is to be added to the message. The database specifies where in the message the information is to be added. For example, if the contents of the message specify that the message is destined for a certain vendor, then additional information is added from the database that informs the vendor of certain policies regarding the information contained in the message.
  - Perform any combination of the above, e.g., change both the content and the format.
- Route the message.
  - Either by unicast or by multicast.
- Store the message in its entirety or selected parts of it, either at the AONS blade or in an external database.
- Compute and/or verify the signatures of the message and its parts as required.

FIG. 28 shows a straightforward implementation of the operations listed above. The XML message content is parsed2801. Data structures are generated that capture the structural relationships among the elements (e.g., an element is a child, parent, ancestor, descendent, left sibling, or right sibling of another element) and the internal structure of each element itself (e.g., its textual value, namespace, list of attributes and their values)2802.

Two standard forms of data structures are the Document Object Model (DOM) and Simple API to XML (SAX). DOM captures all the information present in a message and presents to the application, a tree structure to work with, while SAX simply captures each “event” in the message (such as the beginning of an element, end of an element, beginning of an attribute, value, etc.) and expects the application to infer the structural relationships

The system uses the data structures developed during parsing to access the necessary information inside the message and manipulate that information as required by a specifiedoperation2803.

If the content of the message is modified during an operation, then the new message is re-parsed and the data structures are re-created so they can be used insubsequent operations2804.

Given the current performance of processors and the cost of memory, this approach has several weaknesses that affect system performance. First, it is unusual for an application to require access to all parts of a message. In fact, only small portions of a message are accessed in most instances. But the above approach simply assumes that the entire message is arbitrarily accessed and gathers all of that information a priori, whether or not it is utilized by the application.

Secondly, the sequence of operations applied to a message is pre-determined. Once the message is classified, whereby the sequence of operations to be applied is determined, neither the sequence nor the specific operations changes. Again, the above approach assumes implicitly that any arbitrary sequence of operations is possible and prepares a priori for that eventuality.

Finally, the data structures created from parsing tend to be space-intensive. For example, it is not unusual that the data structures use 5-20 fold more space than the original XML message. This can be deadly in a multiprocessor system if these data structures have to be moved around between processors if they do not share memory.

It is well known in the industry that parsing an XML message and creating its DOM representation is a very expensive operation, typically consuming on the order of 50 CPU cycles per one bit of input. This means that about 50 GHz of compute power is needed to be able to parse a message-traffic of 1 Gb/s. This will increase substantially when all other operations are added, particularly validation and complex transformations, which tend to be even more expensive than parsing. However, such a straightforward implementation can be used when processor performance reaches the threshold that will accommodate such computations.

Another embodiment operates more efficiently than the straightforward approach. This embodiment parses only parts of the message that contain the information needed to identify and classify the message. It further improves efficiency by scanning a message for different sets of items in a single pass. Another embodiment pushes some of the expensive operations into hardware such as a custom ASIC or FPGA to further improve performance.

FIG. 29 shows an efficient embodiment of the invention that performs parsing of only a portion the messages. There are two stages in the processing of a message: message classification and application of operations.

Structured messages have a distinct format that can be searched or parsed to discover desired portions of a message. This allows an administrator or customer to easily specify what types of messages need special treatment. Given that the structure of a message is known ahead of time, an embodiment of the invention can be told by an administrator or customer what information to find in a message to use for classifying the message, how to access the information, and what operations to perform on the message depending upon the value of the information. The system first extracts the portion of the message necessary for classifying the message using pre-determinedmessage format information2901.

Using the XML message example, the system is told how to parse the XML message through XPath expressions (XPath is a standard language developed by the World Wide Web Consortium, or W3C). An XPath expression can specify structural relationships as well as value requirements of the parts of the message to be used. The XPath expressions are downloaded to the AONS blade through provisioning or some other management interface.

The XPath expressions are analyzed and the system determines what parts of the message are of interest. For example, the analysis can tell the system that at least one of the following parts of the message is used to classify the message:

- The first n bytes of the header are required.
- The entire header is required.
- The first n bytes of the body are required.
- The last n bytes of the body are required.
- The initial part of the body up to the element “x” is required.
- Only the first instance of the element “x” is required.
- All instances of the element “x” are required.
- The first instances of each of the elements x₁, x₂, . . . x_nare required.
- All instances of the elements x₁, x₂, . . . x_nare required.
- Same as the above statements, with “element” replaced by “attribute”.
- The entire contents of the message are required.

The system extracts the part(s) of the message that is/are needed from the analysis. The XPath analysis is performed off-line by the system, independent of the incoming messages, and before receiving a message to which the analysis will have to be applied. No such analysis is required while processing the message itself.

The message is then classified using the values of the extracted information. The XPath expressions are used to evaluate the extractedinformation2902. The classification can be based on a certain value, name, destination, combinations of information, etc. In most instances, message classification is based on either the message header or, in addition to the header, some small initial part of the message body itself. It is rare to have to look deep into a message to classify it. The system does not make any assumption about which parts of a message need to be looked at for the purpose of classifying the message. The important point to observe is that the system knows beforehand how a message will have to be classified given the value of certain information.

When a message is received by the system, it classifies the message by first extracting the information from the message necessary for classification and then applying the XPath expressions to that information. The result is that zero or more expressions are satisfied and, if multiple expressions are satisfied, then the first expression is chosen and the corresponding classification type is assigned to the message.

Prudent pre-processing and analysis of both the classification requirements and the operations sequences makes it possible to identify the precise sets of elements, attributes, or other items that need to be extracted/aggregated. The analysis further indicates where the items can be found. This information in turn is used to limit the fraction of the incoming message that needs to be processed in order to provide data for classification and/or the subsequent operations on the message. These two facets of the analysis are used to ensure that no item in the incoming message is accessed more than once (i.e., single-pass) to extract the necessary parts of the message.

For example, consider a Purchase Order formatted in XML. The Purchase Order contains the ordering party's information represented by elements—company name, street address, city, zip, and phone number, and multiple instances of an item element, where each item element has a name, a number, a description, and a price as its child elements. The system allows the administrator or customer to classify such messages based on the total amount of the order. The message is oftype1 if the total amount exceeds $100,000,type2 if the total amount is between $50,000 and $100,000, andtype3 if the total amount is under $50,000. This can be expressed by three XPath expressions: sum(price)>100000; sum(price)>50000 and sum(price)=<100000; and sum(price)<50000. It is clear in this example that only the “price” elements need to be accessed and their values accumulated.

Thus, by analyzing a given set of XPath expressions for message classification the system is able consider only the relevant parts of the message and ignore the rest of the message. In addition, as the above example shows, all that needs to be done in many cases is to extract some information from the message, aggregate it in some fashion, and then compare it to some known value or directly compare it to a known value (or values). Special data structures do not need to be built, nor does a representation of the original message as a DOM, SAX, or any other means need be developed for this purpose.

A unique sequence of operations is implied by the classification and those operations must then be applied to themessage2903. As with the classification XPath expressions, these operations are also known a priori and can be pre-analyzed to make intelligent decisions about the parts of the message that need to be accessed. Some of the operations can be identical to the classification process itself. For example, extracting parts of the message and routing the message are two such operations. The system treats them in the same manner as above and extracts the relevant parts of the message without having to build any explicit data structures representing the message for that purpose.

The operations may tell the system that the message is to be routed to a destination different from the originally addressed destination or is to be stored in a local database or anexternal database2904.

Given the example above, the operations may specify thattype1 messages are to be routed to machine A,type2 messages are to be routed to machine B, andtype3 messages are to be routed to machine C.

A validation operation operates on the entire message, while most of the transformation operations listed above can be accomplished without having to access the entire message. For instance, if the system needs to replace a sub-tree in the message, then it is sufficient to extract that sub-tree. Only in the most general case of global changes to the message does the system need to work on the entire message.

As discussed above, it is currently not possible to achieve gigabit throughputs with a small number of general-purpose processors when the operations take 50 or more cycles per bit. One could use an array of servers in a general setting, but the interest here is with a system that is physically limited to a single chassis or even to a single board within a chassis. This prohibits the use of a large number of processors simply due to space and electric power constraints. It also makes it essential that at least some of the more expensive operations be pushed into hardware. Although not all functions can be pushed into hardware. For example, some of the operations are still evolving through the standardization process. For instance, XPath 2.0 is a new version of XPath (the current version being 1.0) and an alternative to XPath itself, XQuery, is also gaining momentum.

Operations such as extracting some selected parts from an XML message can be largely performed in flexible custom hardware that can also provide some amount of programmability. Since the extraction operation can be reused in several other operations, including most types of transformations, it can be a prime candidate for custom hardware. Such a device can receive a set of XPath expressions pre-processed into instructions that specify the parts of the message that need to be extracted (for the purposes of classifying the message and performing operations on the message) and then applies the instructions to an incoming XML message. The output of the device could be the set of XPath expressions satisfied by the message.

The efficiency of the embodiment of the invention comes from multiple sources:

- Limiting the fraction of the message that is processed.
- Ensuring that all processing on a message is accomplished in a single pass through the necessary parts of the message.
- Using custom hardware for implementing the most expensive component of the operations—extracting a specified set of items from the message.
- Combining the analysis of all operations into a single collection of item extraction requirement.

The impact of all of these techniques together is substantial, particularly when the ratio of the message size to the size of the parts of the message accessed is high. Such scenarios frequently arise during classification and also in transformations that do not perform global modifications to the message. When the message size is large, the custom hardware makes it possible to quickly extract the parts of interest that can then be processed during the operations. This leads to a dual positive effect:

- Since the extraction is performed in hardware, general-purpose processor cycles do not have to be used for that purpose—this is particularly effective when the message is large; and
- Since the hardware extracts only the parts of the message that need further processing, general-purpose processor cycles are only used on a small part of the message.

Consider the following example:

- The size of a message is n bits and m of these bits are extracted by the hardware for further processing.
- The operations take p CPU cycles per bit.
- DOM creation takes q CPU cycles per bit.
- In this scenario, if the DOM approach is used without any custom hardware, then the DOM creation takes n*q cycles, and the additional operations take a further n*p cycles, for a total of n*(p+q) cycles.
  - In contrast, this embodiment takes no CPU cycles for the initial message processing (the counterpart to DOM creation) and m*p cycles for the rest of the processing. The ratio is then n*(p+q)/m*p, which is at least as large as n/m, the ratio between the message size and the size of the extracted items.

Thus, as compared to first generating a DOM representation and then applying each of the operations to the message, this embodiment can provide a phenomenal increase in performance, as a linear function of the message size reduction (i.e., the fraction of message utilizing for processing). A typical message of 5 kB can be classified using a few hundred bytes (on the order of 200-300 in most instances), giving a ratio of nearly 20. This embodiment speeds up the process by a similar factor.

4.0 Implementation Mechanisms—Hardware Overview

FIG. 5 is a block diagram that illustrates acomputer system500 upon which an embodiment of the invention may be implemented. The preferred embodiment is implemented using one or more computer programs running on a network element such as a proxy device. Thus, in this embodiment, thecomputer system500 is a proxy device such as a load balancer.

Computer system

500 includes abus502 or other communication mechanism for communicating information, and aprocessor504 coupled withbus502 for processing information.Computer system500 also includes amain memory506, such as a random access memory (RAM), flash memory, or other dynamic storage device, coupled tobus502 for storing information and instructions to be executed byprocessor504.Main memory506 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed byprocessor504.Computer system500 further includes a read only memory (ROM)508 or other static storage device coupled tobus502 for storing static information and instructions forprocessor504. Astorage device510, such as a magnetic disk, flash memory or optical disk, is provided and coupled tobus502 for storing information and instructions.

Acommunication interface518 may be coupled tobus502 for communicating information and command selections toprocessor504.Interface518 is a conventional serial interface such as an RS-232 or RS-322 interface. Anexternal terminal512 or other computer system connects to thecomputer system500 and provides commands to it using theinterface514. Firmware or software running in thecomputer system500 provides a terminal interface or character-based command interface so that external commands can be given to the computer system.

Aswitching system516 is coupled tobus502 and has aninput interface514 and anoutput interface519 to one or more external network elements. The external network elements may include alocal network522 coupled to one ormore hosts524, or a global network such asInternet528 having one ormore servers530. Theswitching system516 switches information traffic arriving oninput interface514 tooutput interface519 according to pre-determined protocols and conventions that are well known. For example, switchingsystem516, in cooperation withprocessor504, can determine a destination of a packet of data arriving oninput interface514 and send it to the correct destination usingoutput interface519. The destinations may includehost524,server530, other end stations, or other routing and switching devices inlocal network522 orInternet528.

The invention is related to the use ofcomputer system500 for avoiding the storage of client state oncomputer system500. According to one embodiment of the invention,computer system500 provides for such updating in response toprocessor504 executing one or more sequences of one or more instructions contained inmain memory506. Such instructions may be read intomain memory506 from another computer-readable medium, such asstorage device510. Execution of the sequences of instructions contained inmain memory506 causesprocessor504 to perform the process steps described herein. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained inmain memory506. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the invention. Thus, embodiments of the invention are not limited to any specific combination of hardware circuitry and software.

The term “computer-readable medium” as used herein refers to any medium that participates in providing instructions toprocessor504 for execution. Such a medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media includes, for example, optical or magnetic disks, such asstorage device510. Volatile media includes dynamic memory, such asmain memory506. Transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprisebus502. Transmission media can also take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.

Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, or any other magnetic medium, a CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chip or cartridge, a carrier wave as described hereinafter, or any other medium from which a computer can read.

Various forms of computer readable media may be involved in carrying one or more sequences of one or more instructions toprocessor504 for execution. For example, the instructions may initially be carried on a magnetic disk of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local tocomputer system500 can receive the data on the telephone line and use an infrared transmitter to convert the data to an infrared signal. An infrared detector coupled tobus502 can receive the data carried in the infrared signal and place the data onbus502.Bus502 carries the data tomain memory506, from whichprocessor504 retrieves and executes the instructions. The instructions received bymain memory506 may optionally be stored onstorage device510 either before or after execution byprocessor504.

Communication interface

518 also provides a two-way data communication coupling to anetwork link520 that is connected to alocal network522. For example,communication interface518 may be an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of telephone line. As another example,communication interface518 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation,communication interface518 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.

Network link520 typically provides data communication through one or more networks to other data devices. For example,network link520 may provide a connection throughlocal network522 to ahost computer524 or to data equipment operated by an Internet Service Provider (ISP)526.ISP526 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the “Internet”528.Local network522 andInternet528 both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals onnetwork link520 and throughcommunication interface518, which carry the digital data to and fromcomputer system500, are exemplary forms of carrier waves transporting the information.

Computer system

500 can send messages and receive data, including program code, through the network(s),network link520 andcommunication interface518. In the Internet example, aserver530 might transmit a requested code for an application program throughInternet528,ISP526,local network522 andcommunication interface518. In accordance with the invention, one such downloaded application provides for avoiding the storage of client state on a server as described herein.

Processor

504 may execute the received code as it is received and/or stored instorage device510 or other non-volatile storage for later execution. In this manner,computer system500 may obtain application code in the form of a carrier wave.

5.0 Extensions and Alternatives

In the foregoing specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.